min
/
boring2
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
boring2/tokio-boring
History
Braden Ehrat 1507689c5b
Add fips-3678 feature (#52) 
* Add rerun-if-env-changed instructions for BORING_* variables

* Use X509_get0_notBefore() and X509_get0_notAfter() instead of X509_getm_notBefore() and X509_getm_notAfter().

According to
https://www.openssl.org/docs/man1.1.0/man3/X509_getm_notBefore.html,
"X509_getm_notBefore() and X509_getm_notAfter() are similar to
X509_get0_notBefore() and X509_get0_notAfter() except they return
non-constant mutable references to the associated date field of the
certificate".

* Only update boringssl submodule if BORING_BSSL_PATH not provided

* Allow BORING_BSSL_LIB_PATH to control link search

* Add fips feature

* Use X509_set_notAfter unconditionally for FIPS compatibility

This is equivalent according to
https://boringssl.googlesource.com/boringssl/+/c947efabcbc38dcf93e8ad0e6a76206cf0ec8072

The version of boringssl that's FIPS-certified doesn't have `X509_set1_notAfter`.
The only difference between that and `X509_set_notAfter` is whether they're const-correct,
which doesn't seem worth having two different code-paths.

* Check out fips commit automatically

* Verify the version of the compiler used for building boringssl

NIST specifies that it needs to be 7.0.1; I originally tried building with clang 10 and it failed.
Theoretically this should check the versions of Go and Ninja too, but they haven't given me trouble in practice.

Example error:
```
   Compiling boring-sys v1.1.1 (/home/jnelson/work/boring/boring-sys)
error: failed to run custom build command for `boring-sys v1.1.1 (/home/jnelson/work/boring/boring-sys)`

Caused by:
  process didn't exit successfully: `/home/jnelson/work/boring/target/debug/build/boring-sys-31b8ce53031cfd83/build-script-build` (exit status: 101)
  --- stdout
  cargo:rerun-if-env-changed=BORING_BSSL_PATH

  --- stderr
  warning: missing clang-7, trying other compilers: Permission denied (os error 13)
  warning: FIPS requires clang version 7.0.1, skipping incompatible version "clang version 10.0.0-4ubuntu1 "
  thread 'main' panicked at 'unsupported clang version "cc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0": FIPS requires clang 7.0.1', boring-sys/build.rs:216:13
  note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
```

* Add Github actions workflow testing FIPS

Co-authored-by: Joshua Nelson <jnelson@cloudflare.com>
 		2022-01-31 16:11:33 -06:00
..
examples Update documentation for tokio-boring 2021-07-29 11:28:43 -04:00
src Relax constraints on `Display for tokio-boring::HandshakeError` 2021-11-04 12:38:39 -05:00
tests Sync upstream changes to support tokio 1.x 2021-02-18 16:12:19 +00:00
CHANGELOG.md Add/update changelogs 2021-12-16 13:52:38 -06:00
Cargo.toml Add fips-3678 feature (#52) 2022-01-31 16:11:33 -06:00
LICENSE-APACHE Add tokio-boring 2020-11-11 19:26:22 +00:00
LICENSE-MIT Add hyper-boring 2020-11-11 20:29:54 +00:00
README.md Update documentation for tokio-boring 2021-07-29 11:28:43 -04:00

README.md

tokio-boring

An implementation of SSL streams for Tokio built on top of the BoringSSL.

Documentation

Usage

First, add this to your Cargo.toml:

[dependencies]
tokio-boring = "1.0.0"

Then, use either accept or connect as appropriate.

use boring::ssl;
use tokio::net::TcpListener;

#[tokio::main]
async fn main() -> anyhow::Result<()> {
    let listener = TcpListener::bind("127.0.0.1:8080").await?;
    let (tcp_stream, _addr) = listener.accept().await?;

    let server = ssl::SslMethod::tls_server();
    let mut ssl_builder = boring::ssl::SslAcceptor::mozilla_modern(server)?;
    ssl_builder.set_default_verify_paths()?;
    ssl_builder.set_verify(ssl::SslVerifyMode::PEER);
    let acceptor = ssl_builder.build();
    let _ssl_stream = tokio_boring::accept(&acceptor, tcp_stream).await?;
    Ok(())
}

This library is an implementation of TLS streams using BoringSSL for negotiating the connection. Each TLS stream implements the Read and Write traits to interact and interoperate with the rest of the futures I/O ecosystem. Client connections initiated from this crate verify hostnames automatically and by default.

tokio-boring exports this ability through [accept] and [connect]. accept should be used by servers, and connect by clients. These augment the functionality provided by the [boring] crate, on which this crate is built. Configuration of TLS parameters is still primarily done through the [boring] crate.

License

This project is licensed under either of

at your option.

Contribution

Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in Serde by you, as defined in the Apache-2.0 license, shall be dual licensed as above, without any additional terms or conditions.

Accolades

The project is based on a fork of tokio-openssl.